Card Technology Choices for U.S. Issuers An EMV White Paper

Transcription

1 Card Technology Choices for U.S. Issuers An EMV White Paper

2 This white paper is written with the aim of educating Issuers in the United States on the various technology choices that they have to consider as they migrate their financial card portfolios from a magnetic strip based card to a more complex smart chip based EMV card. The consequence of these choices is as impactful as the consideration to migrate to EMV itself, given the money and effort that will be put towards a successful migration. Issuers must view the EMV migration in the US not only as a matter of compliance to mandates and laws, but also seek to gain the most value for the money spent. According to data published by the EMVCo 1, more than 1.5 Billion EMV compatible cards have been issued around the world as of Q The United States, being one of the last few major countries (last among G-20 member nations) in the world to adopt EMV, has plenty of data points and lessons to learn from the EMV migration experiences in other parts of the world, including our close neighbor Canada where most, if not all, payment cards are now chip based. While much guidance and experience can be obtained from EMV migration efforts in other parts of the world, it needs to be put in the context of the already mature US payments market. The dynamics of the payment industry in the US are quite different from much of the world. For instance: - More than 1.2 Billion Credit and Debit cards are currently in circulation in the US, much more than any other country in the world. In contrast, Canada has a little over 100 million Credit and Debit cards in circulation. There are more than 7,000 banks in the US 2. In contrast, there are fewer than 100 banks in Canada. Given the magnitude of change that has to happen, the EMV migration experience in the US could be much different from other parts of the world. - The Durbin Amendment to the Dodd-Frank Act that went into effect in October 2011 requires that merchants have a choice of at least 2 unaffiliated debit payment networks via whom the transaction can be processed. The millions of magnetic stripe only debit cards in circulation today are readily Durbin compliant because the POS terminals can easily read the Track 2 magnetic stripe data and process it across any debit network of merchant choice. Unless the

3 - payment brand applications on the EMV chip card can be selected and processed over the various debit networks, Durbin compliance will continue to be a significant issue in the US EMV migration effort. - The US has 16 PIN debit networks through which Debit transactions can be routed, whereas most countries have only 1 or 2 networks. Such a broad network means migration will be slow and there are likely to be interoperability issues before all EMV credit/debit cards are accepted at all merchant/atm locations. - Near Field Communication (NFC) based mobile payments (or the concept thereof) is now influencing much of how the payment industry in the US views EMV. This was not a very big factor while other countries underwent the EMV migration. ABnote has the knowledge and experience, having provided global EMV solutions for years, to support your EMV migration The US payments market is not new to smart chip based payments though. Visa (PayWave), MasterCard (PayPass), American Express (ExpressPay) and Discover (Zip) have put out their own versions of contactless chip based payment cards specifically for the US market. These cards were meant to enhance user experience by allowing the customer to pay by simply waving the card across the POS terminal, rather than swiping the magnetic stripe. Over 30,000 merchant locations accept these contactless payment cards in the U.S., including KFC and McDonald s. These cards however could not be used outside the US. With the major payment brands now embracing EMV technology for the US and issuing their mandates for U.S. Issuers and Acquirers, it is expected that the contactless-only cards will slowly disappear. 3

4 The following pages uncover some of the technology choices that an Issuer has to consider as they build their EMV product portfolio. Card Interface Smart cards are nothing but miniscule computers (chip ICs) embedded within a plastic card. How a card holder uses the chip card to make payments is a matter of practical concern for issuers. There are effectively 2 choices for a customer at a POS terminal: Contact or Contactless. Issuers have a choice to make on what kinds of interfaces they will make available for their customer. Regardless of what chip interface is used, most payment cards in the US will include a magnetic stripe on the back for backward compatibility for the foreseeable future. Contact Interface: The chip card has to be inserted or dipped into a POS terminal reader, in a way that the contact pads on the card come in physical connection with the reader s pins. As one can imagine, training the average card holder to orient the card correctly before insertion can be an issue. But in reality, millions of card holders in the US already have to consciously orient their magnetic strip cards before it can be swiped. A possible challenge for merchants with a contact chip transaction is that the clerk at the POS terminal has to make sure the customer does not walk away without the card after the transaction is complete. Issuers also have a choice of whether the contact surface on the card has a gold or a palladium finish, and whether the chip has a 6-or-8 Contact. Contactless Interface: In this case, the chip card needs to only be waved like a wand over the POS terminal reader. The transaction speed is definitely much faster 1 as there are no card orientation issues. The process of waving the card is certainly more convenient. Further, it allows the merchants to perfectly segway into processing Smartphone payments via NFC thus tying themselves closer to the customer s shopping experience. Dual Interface: Simply put, the POS terminal can communicate to the chip over the contact (verb: insert/dip) or the contactless (verb: wave) interface. An Issuer needs to keep the following in mind whilst making a choice on the card interface: 1 4

5 - Visa has recommended Contact-only card with a companion mobile application or Dual Interface card 1 for the US, whereas MasterCard has recommended Dual-Interface 2. Contactless-only cards are not acceptable, as some issuers allow updating the chip data (such as updating the balance or managing the risk parameters) only through the contact interface of the card, even if the card supports both interfaces. - Most POS terminals in the European Union support only Contact interface cards. - Dual interface cards are more expensive to issue than Contact only cards In Canada, jury on the card interface is split right in the middle - 50% Contact and 50% Dual Interface. Further, almost 100% of MasterCard branded EMV cards in Canada are Dual-Interface 3. It is expected that the number of Dual Interface cards will surpass the Contact-only interface card circulation in the coming years. Card Authentication Issuers must first carefully consider whether their credit/debit cards can be used in an offline environment. The US boasts of a very robust network, where-in card authentication/authorization can be done online. The same cannot be guaranteed if the card holder travels abroad where online transactions may not work. A key value proposition of smartcards in comparison to ABnote Boston s production facility has undergone stringent security audits and is certified by Visa, MasterCard and Discover magnetic strip cards, is the security inherent to smart chips that can be leveraged in an offline authentication environment. The EMV standard defines three offline card authentication methods amongst which the Issuer has a choice to make: Static Data Authentication (SDA): A digital signature is computed and 1 Visa Recommended Practices for EMV Chip Implementation in the U.S.; Chip Advisory #20, Updated July 11, Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure? A Smart Card Alliance Payments Council White Paper. Publication Date: September

6 written to the card during its personalization phase and remains static for the life of the card. This digital signature is verified cryptographically by the POS terminal to confirm that the card data has not been manipulated since issuance. Since the signature is static, fraudulent cards cannot be detected unless the transaction is processed online. SDA chips are usually cheaper than their DDA counterpart, due to the absence of a crypto-engine on the chip itself. Dynamic Data Authentication (DDA): A unique digital signature is dynamically generated by the chip for each transaction, which means that the chip must support RSA cryptographic algorithm. DDA is a stronger form of offline data authentication (compared to SDA) because it is not feasible to extract the private key stored in the chip that is used to create the dynamic digital signature. DDA protects against skimming of the data stored in the chip. For the same reason, it is also more widely used across the world. Note that a DDA chip is also able to support PIN encryption for Card Holder Verification, because of its RSA cryptographic capability. Combined Data Authentication (CDA): This type of authentication combines DDA with an additional step of Application Cryptogram generation. Issuers must carefully consider what type of authentication they want: SDA or DDA, keeping in mind that the cheaper solution is not necessarily the best solution in the long run. VISA, in its recommendation for US, has supported online verification 1 - i.e. no requirement for SDA or DDA. Other payment brands have deferred to Issuers, but do require the chip to support DDA if the issuers choose to support offline authentication. Payment Applications The payment application(s) installed on the chip is usually associated with the payment brand associated 1 Visa Recommended Practices for EMV Chip Implementation in the U.S.; Chip Advisory #20, Updated July 11,

7 with the card. The most common payment applications installed on a chip are American Express AEIPS, Discover D-Pas, First Data STAR, MasterCard M/Chip and VISA VSDC. An alternative to branded proprietary payment applications mentioned above is the Common Payment Application (CPA) whose specification was developed by the EMVCo. CPA enables Issuers to provide payment cards that are not necessarily branded by one of the payment brands such as VISA, MasterCard etc... In addition, the CPA is also recognized and accepted ABnote can assist your organization in making the best technology choice and ensure maximum value for money by all the payment brands. One or more of these applications will be present on each EMV chip card. An Issuer s concern is usually which payment applications must be included in the chip. For one, in order to be Durbin Amendment compliant, debit card Issuers need to make sure that the payment applications on the card can be processed by 2 or more unaffiliated payment processing networks. Visa 1 and MasterCard 2 recently made announcements aimed at resolving this issue, by opening up their proprietary technology to other debit processors. Meanwhile, the Secure Remote Payments Council (SRPc) made up of several debit networks adopted Discover D-Pas as the common debit application for U.S. 3 Secondly, issuers need to make sure that their card manufacturer/personalization bureau has gone through the respective payment brands strict security and quality certification procedures, in order to be able to manufacture that card product with that payment application. Third, larger chip memory is required for installing more than one payment application, thus the cost of the chip will be higher. Operating System There are several chip operating systems available in the market, including: Java, MULTOS and other native operating systems. Both Java and MULTOS are widely considered to be secure platforms to host the execution of multiple applications (including payment) on the smart chip. JavaCard platform was derived from the Java language, and is by far the most deployed amongst all

8 operating system in the world and trusted widely to be very secure. Java Static is a low-footprint sibling of JavaCard and consequently it costs less than regular JavaCard. The limitation though is that new applications (or applets) cannot be added to the chip, once issued. JavaCard, now owned by Oracle Corporation, has a small licensing cost that adds to the price of the solution. MULTOS, on the other hand, was specifically designed with the purpose of providing a trusted and secure platform for financial applications on a smartcard and relies on a closed-loop process of Enablement 1, through which each chip card is linked directly to the Issuer and adding/removing applications on the chip can be done only with the authorization of the Issuer. Native operating systems, developed as an alternate to JavaCard and MULTOS, tend to be slightly cheaper and more closely integrated with chip manufacturer s hardware architecture. Ultimately, the Issuer s choice of Operating System must rely on the cost-security analysis that the solution provides. Regardless of which operating system is chosen, it is encouraged to choose platforms that are CPS compliant. ABnote is agnostic to the chip operating system used in our EMV products, and we promote CPS compliance for the benefit of our Issuers. CPS Compliance A key consideration for Issuers and especially Personalization Bureaus is whether the chip card product is EMV CPS (Card Personalization Specification) compliant. EMVCo defined the Card Personalization 1 8

9 Specification 1 to standardize the Personalization phase and thus reduce the costs for the Bureaus (and eventually Issuers) associated with developing custom personalization solutions for each non-standard product. Ultimately, a CPS compliant product means lower costs. While not a technology choice, the Issuers must certainly consider and be aware of the End-of-Life dates for the smart chips used in their card portfolio. The Chip End-of-Life (EOL) date is the date unto which the payment brands consider the chip to be valid for EMV card issuance, and so managing the chip lifecycle requires utmost attention. It would not help the Issuer to learn that their product is about to expire in less than 6 months after introduction into the market. In general, it is encouraged to pick products that have an end-of-life at least 2 years from the current date. 1 9

10 Future Trends It is widely expected that mobile payments will be the way of the future 1. As Near Field Communication (NFC) enabled smart phones become more common place and applications emerge that make it easier, more secure and enhance the customer shopping experience, this will happen. Payment cards will continue to be part of the ecosystem for the foreseeable future, especially to accommodate for all the extraneous use cases where a mobile payment cannot be put into play. In addition, there will always be those consumers who are apprehensive about keeping their credit card details only a touch away from their compulsive tendencies while browsing their smart phone. Second, the chip on the EMV card offers the issuers with an opportunity to provide their customers a seamless experience in using their payment cards in other environments such as Loyalty, Transit, Access Control etc... Issuers need to consider future proofing their card product portfolio with ABnote has a wealth of experience in managing the card and chip lifecycle this in mind. As trends in other countries have shown, fraud shifts to Card-Not-Present (CNP) environments when EMV cards are first deployed. Securing e-commerce transactions will be another area of focus in the forthcoming years to combat CNP fraud. There are several ways in which this can be accomplished including dynamic passwords, hardware tokens, tracking spending profiles etc As Issuers carefully consider their technology options for deploying EMV in the US, they must seek to learn from similar migration experiences around the world but also keep in mind the generational shift in technology that has happened since EMV specification was first drafted, and apply them in the context of the US payments industry. 1 reach_90b_by_

A Guide to EMV Version 1.0 May 2011 Objective Provide an overview of the EMV specifications and processes What is EMV? Why EMV? Position EMV in the context of the wider payments industry Define the role

Mobile Near-Field Communications (NFC) Payments OCTOBER 2013 GENERAL INFORMATION American Express continues to develop its infrastructure and capabilities to support growing market interest in mobile payments

Accenture Payment Services Payments Transformation - EMV comes to the US In 1993 Visa, MasterCard and Europay (EMV) came together and formed EMVCo 1 to tackle the global challenge of combatting fraudulent

September 2014 EMV and Small Merchants: What you need to know Mike English Executive Director, Product Development Heartland Payment Systems 2014 Heartland Payment Systems, Inc. All trademarks, service

PRODUCT CAPABILITY GUIDE American Express Contactless Payments American Express Contactless Payments Help Enable Increased Convenience For Card Members At The Point Of Sale American Express contactless

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP WHERE IS THE U.S. PAYMENT CARD INDUSTRY NOW? WHERE IS IT GOING? Today, payment and identification cards of all types (credit

FAQ EMV EMV Overview What are the benefits of EMV cards? A: Several factors are driving the U.S. card market to migrate to chip-based cards using the EMV specifications. EMV offers advantages for consumers,

October 2014 EMV and Restaurants: What you need to know Mike English Executive Director, Product Development Heartland Payment Systems 2014 Heartland Payment Systems, Inc. All trademarks, service marks

THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change Advancements in technological capabilities, along with increasing levels of counterfeit fraud, led the

INTRODUCTION AND HISTORY EMV is actually younger than we all may think as it only became available, as a specification that could be implemented, in 1996. The evolution of EMV can be seen in the development

EMV in Hotels Observations and Considerations Just in: EMV in the Mail Customer Education: Credit Card companies have already started customer training for the new smart cards. 1 Questions to be Answered

U.S. consumers are receiving new debit and credit cards with embedded chip technology that better stores and protects cardholder information. These new chip cards are part of the new card standard, Europay,

A Brand New Checkout Experience EMV Transformation EMV technology is transforming the U.S. payment industry, bringing a whole new experience to the checkout counter. Introduction What is EMV? It s 3 small

A Brand New Checkout Experience EMV Transformation EMV technology is transforming the U.S. payment industry, bringing a whole new experience to the checkout counter. Introduction What is EMV? It s 3 small

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means Document Purpose This document is intended to provide information about the concepts behind and the processes involved

Effective November 1, 2014 1. What is EMV? EMV is the global standard for card present payment processing technology and it s coming to the U.S. EMV uses an embedded chip in the card that holds all the

August 2015 A RE T HE U.S. CHIP RULES ENOUGH? A longer term view of security and the payments landscape is needed. Abstract: The United States is finally modernizing its card payment systems and confronting

EMV FOR U.S. ACQUIRERS: SEVEN GUIDING PRINCIPLES FOR EMV READINESS BY PHILLIP MILLER, GUY BERG, JEFF STROUD, AND STEVEN PAESE Acquirer EMV 1 enablement is a critical first step to full chip migration in

EMV : Frequently Asked Questions for Merchants The information in this document is offered on an as is basis, without warranty of any kind, either expressed, implied or statutory, including but not limited

EMV Frequently Asked Questions for Merchants May, 2014 Copyright 2014 Vantiv All rights reserved. Disclaimer The information in this document is offered on an as is basis, without warranty of any kind,

How to Prepare for EMV Point of sale requirements are changing. Get ready now. The EMV mandate is fast approaching. Now is the time to plan a strategy to prepare for this change. 2 EMV: The Backstory 3

EMV FAQs Contact us at: CS@VancoPayments.com Visit us online: VancoPayments.com What are the benefits of EMV cards to merchants and consumers? What is EMV? The acronym EMV stands for an organization formed

PayPass M/Chip Requirements 10 April 2014 Notices Following are policies pertaining to proprietary rights, trademarks, translations, and details about the availability of additional information online.

Mobile Payment: The next step of secure payment VDI / VDE-Colloquium May 16th, 2013 G&D has been growing through continuous innovation Server software and services Token and embedded security Cards for

Bringing Mobile Payments to Market for an International Retailer Founded in 2011, Clearbridge Mobile has emerged as a world class studio developing state of the art wearable and mobile wallet / payment

liber8:payment welcome to liber8:payment Our self-service kiosks free up staff time and improve the overall patron experience. liber8:payment further enhances these benefits by providing the convenience

U.S. EMV Debit Implementation Version 1.0 August 15, 2014 About Debit Network Alliance Debit Network Alliance LLC (DNA) is a Delaware limited liability company owned by ten U.S. Debit Networks, and open

Practically Thinking: What Small Merchants Should Know about EMV 1 Practically Thinking: What Small Merchants Should Know About EMV Overview Savvy business owners know that payments are about more than

My main responsibility as a Regional Account Manager for IMD is obtain the absolute lowest possible merchant fees for you as a business. Why? The more customers we can save money, the more volume of business

The Canadian Migration to EMV Prepared By: December 1993 Everyone But The USA Is Migrating The international schemes decided Smart Cards are the way forward Europay, MasterCard & Visa International Produced

Understand the Business Impact of EMV Chip Cards 3 What About Mail/Telephone Order and ecommerce? 3 What Is EMV 3 How Chip Cards Work 3 Contactless Technology 4 Background: Behind the Curve 4 Liability

Implication of EMV Migration for the U.S. Transportation Industry 1 Introduction Transportation payment methods are constantly evolving. When cash handling became too expensive and inconvenient, the metal

CardControl 3.0 Credit Card Processing Overview Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new

U.S. Bank Chip Card (EMV ) CAL-Card FAQs Below are answers to some frequently asked questions about the migration to U.S. Bank chipenabled CAL-Cards. This guide can help ensure that you are prepared for

Apple Pay Frequently Asked Questions UK Launch Version 1.0 2015 First Data Corporation. All Rights Reserved. All trademarks, service marks and trade names referenced in this material are the property of

HCE AND CLOUD BASED PAYMENTS 1 Contactless payments are vital for further development of the payment industry. More than 3 mln POS terminals around the globe can accept contactless payments. Mobile phones

The Impact of Emerging Payment Technologies on Retail and Hospitality Businesses The Impact of Emerging Payment Technologies on Retail and Hospitality Businesses Making the customer payment process convenient,

CONTACTLESS THE APPEAL FOR CONTACTLESS 3 AVAILABLE CONTACTLESS TECHNOLOGIES 3 USING ISO 14443 BASED TECHNOLOGY FOR 4 DESIGNING AN EMV LIKE CONTACTLESS SYSTEM 5 INGENICO, LEADER IN CONTACTLESS TECHNOLOGY

EMV's Role in reducing Payment Risks: a Multi-Layered Approach April 24, 2013 Agenda EMV Rationale Why is this worth the effort? Guides how we implement it EMV Vulnerability at the POS EMV Impact on CNP

Frequently asked questions - Visa paywave What is Visa paywave? Visa paywave is a new contactless method of payment - the latest evolution in Visa payments. It is a simple, secure and quick payment method

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER SHAZAM, Senior Vice President Agenda The Ugly Fraud The Bad EMV? The Good Tokenization and Other Emerging Payment Options

PCI 3.1 Changes Jon Bonham, CISA Coalfire System, Inc. Agenda Introduction of Coalfire What does this have to do with the business office Changes to version 3.1 EMV P2PE Questions and Answers Contact Information

The Path to Compliance: Selecting Another PIN Debit Network By: Kevin Barry General Manager, STAR Network 2011 First Data Corporation. All trademarks, service marks and trade names referenced in this material

U.S. Bank U.S. Bank Chip Card FAQs for Program Administrators Here are some frequently asked questions Program Administrators have about the replacement of U.S. Bank commercial cards with new chip-enabled

Plotting a Course for EMV Compliance Plotting a Course for EMV Compliance PCI compliance...emv compliance by now, you ve heard repeatedly that your store or restaurant must be EMV-compliant by the recently

Mobile MasterCard PayPass Testing and Approval Guide December 2009 - Version 2.0 Proprietary Rights Trademarks The information contained in this document is proprietary and confidential to MasterCard International

EMV: Preparing for the shift The impending shift in liability for card-present fraud is driving a transition to EMV, which comes replete with new retail IT requirements and consumer-facing changes to the

SETUP GUIDE High Speed Secure Credit Card Processing Thank you for your purchase of Hamilton products! In this handy guide, you will discover: WHAT IS INCLUDED ADDITIONAL REQUIREMENTS HOW IT WORKS SETUP

White paper A First Capital Payments Smart Guide Making the Move to EMV: The Risks and the Rewards Understanding, Implementing, and Benefitting From EMV Technology By: Hiram Hernandez, Jr. CEO, First Capital

FAQ Tokenization: FAQs & General Information BACKGROUND As technology evolves, consumers are increasingly making their purchases online or through mobile devices and digital wallet applications and their

Quick Chip for EMV Specification Version 1.2 August 2016 Visa Public EMV is a registered trademark or trademark of EMVCo LLC in the United States and other countries. Important Information on Confidentiality